User Profile
07Kingslayer
Copper Contributor
Joined 4 years ago
User Widgets
Recent Discussions
ASR Rule generating lot of noise
I'm looking to implement ASR Rules in our environment. so far all rules are working as expected except "Block credential stealing from the Windows local security authority subsystem (lsass.exe)" and it's generating a lot of noise, shows me 2000+ results for the last 30 days when I use the below KQL query: DeviceEvents | where ActionType == 'AsrLsassCredentialTheftAudited' I believe this is auditing every event when a process is attempting to get credentials from lsass.exe (I haven't seen a single suspicious process in my 50 test devices that are using the rule). Is there a way to configure this ASR rule to detect and only audit/block suspicious/malicious processes? I'm using ConfigMgr to deploy ASR Rules btw. Thanks in advance.
Recent Blog Articles
No content to show